Mouse wrote:
I propose that the existance of an ISP without source address filtering is handled by a reputation system similar to what was brought in place to bring down open SMTP relays, [...] Unfortunately it is more difficult because the offender is much harder for the victim to identify. Suppose, for example, that I get a packet with ip_src forged to 74.125.226.115. How can I IDP that sender, even just for me? I can't. I can't even tell the difference between two senders in different places forging such traffic to me. I have to get my upstream to push it to _their_ upstream, etc, until reaching an offender. But with open SMTP relays, I can reject the traffic without needing help from my upstream.
I know that it is harder, but not impossible. It would be possible for transit providers to stamp any packet that has not been suitably filtered. E.g. setting the "evil bit" that was once subject of an april fools day RFC. Any packet accepted from a party that is known not to filter gets the "evil bit" set, and anyone (provider or end system) willing to take on the battle will just drop any packets with the "evil bit" set. Similar to a percentage of systems no longer prepared to accept mail from systems on a list of known open relays. Once enough percentage of the internet is dropping this traffic, there will be an incentive for the ISP to clean up his systems and gets his traffic routed without evil bit. Another option would be to have "IP route recording", an option available in IP but rarely used anymore, revitalized. When major transit providers enforce the insertion of route recording options in anything routed, it will be much easier to find where malicious traffic originates, and arrange for that source to be cut off the internet. Unfortunately the insertion of a route recording packet increases its size and therefore introduces the known problems with smaller than 1500 MTU. It could be done for a percentage of traffic, or triggered by certain conditions (e.g. traffic coming in from another source than the destination of traffic to the same address). Rob _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
